Re: [IMail Forum] An update on SPF

Wed, 21 Dec 2005 08:06:34 -0800 

On 10:14 AM 12/21/2005 -0500, it would appear that Chris Anton wrote:

Joe,
SPF records serve a very good purpose: to stop other servers from sending mail that only YOUR server should be sending... AKA forging viruses / forging spam / forging phising. This is VERY important in the effort to curb all the forging junk that bombards us all day long. 
-Chris



But you likely cannot guarantee that ALL legitimate mail from your 
domain will actually be sent through your server.



Simple example:  Telecommuting employee's home ISP blocks outgoing 
port 25 (there are still email clients and email servers (earlier 
versions of Imail for example) that won't support port 587 so saying 
"Just use port 587 is not a valid argument) and forces all outgoing 
mail to run through their server.  As soon as that employee sends out 
a message using a work address and whether you like it or not and, 
more importantly, whether your SPF record reflects it or not that 
employee's ISP's mail server is relaying legitimate email for your domain.



Now, what happens if your SPF record says that your server is the 
ONLY server authorized to relay mail from your domain?  Your 
telecommuting employee's email will *always* fail any SPF test.  You 
could solve this by including your employee's ISP server in your SPF 
records.  No problem, unless you have multiple telecommuting 
employees, unless they switch ISPs, unless those same telecommuters 
also travel on the road and the possible headaches continue.



IF you can guarantee that 100% of the legitimate mail from your 
domain absolutely must, will and can travel only through a server on 
your domain such that you can use "v=spf1 a mx -all" then SPF can be 
argued to be of use in validating email from your domain.  If, like 
most, you cannot make such an absolute guarantee and use "v=spf1 a mx 
~all" then, in my opinion, your SPF record does more harm than 
good.  As the number of legitimate "v=spf1 a mx -all" records is 
minuscule, I don't even bother checking SPF.



Tyran Ormond
Programmer/LAN Administrator
Central Valley Water Reclamation Facility
[EMAIL PROTECTED]


To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/






















					Reply via email to